WhatsApp Takes Indian Government to Court Over Mandatory Identification Requirement
This week, WhatsApp petitioned the Delhi High Court in India, challenging the newly enforced Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, specifically their compulsory decryption requirement.
Rule 4(2) and Rule 6 of the Rules require all social media intermediaries operating in India to, at the request of the government or the courts, enable identification of the first originator of a message shared on their platform, which will require decryption of relevant messages. In the instances where the originator of a message is not based in India, the first person in India to have shared the information would be deemed as the originator of that information. The Rules impose criminal sanctions for non-compliance with requests to identify.
A WhatsApp spokesperson commented on the decryption requirement, noting that, “Requiring messaging apps to ‘trace’ chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermines people’s right to privacy.” In its petition to the court, WhatsApp claims that the rule requires traceability without prior judicial review and also falls short of meeting the legality, necessity, and proportionality requirements when restricting Indian citizens’ right to privacy, which was stipulated to be a fundamental right by the Indian Supreme Court in 2017. WhatsApp also has an ongoing case on similar grounds before the Supreme Court of Brazil, after the Brazilian government blocked the platform multiple times in 2015 and 2016 for not complying with legal requests to decrypt messages.
The Indian government clarified that the objective for this requirement was to ensure that individuals sharing inflammatory messages inciting violence could be identified and penalized. However, the belief that optimum security measures require a compromise on privacy, often through extra-legal surveillance, is a problematic one. Scholars have written extensively about how there does not need to be a tradeoff between the right to privacy and ensuring citizens’ safety and security. Weakening encryption or granting backdoor access “defeats the entire purpose of encryption and exposes users’ data to increased risks” and false identifications of first originators of the messages are also highly likely because people often tend to share messages across platforms.
WhatsApp’s legal challenge is one of six other challenges made to the 2021 IT Rules since their enforcement in February this year. The grounds for other challenges, as collated by India’s internet law and policy think tank Internet Freedom Foundation here, mainly related to the Rules’ “arbitrary and vague restrictions on digital news media”.
Ironically, despite this concern for users and their privacy, WhatsApp, which has previously claimed that India is its largest user-base, has already been the subject of ongoing controversy in India for the past few months because of its new privacy policy, which confirmed that Facebook would be given access to WhatsApp’s meta-data and to any messages sent using Business accounts on WhatsApp. Not consenting to the new policy would result in the deactivation of the user’s WhatsApp account or new limits on user features (a stand WhatsApp reversed on May 27). These actions are contrary to the assurances made by Facebook and WhatsApp to the public, the United States Federal Trade Commission, and the European Competition Commission prior to Facebook’s acquisition of WhatsApp, in 2016. In fact, in 2017, the European Commission fined Facebook over 100 million euros for misleading the commission to believe that Facebook was technically unable to link its users to those of WhatsApp.
WhatsApp’s challenge to the decryption requirement is in line with similar concerns raised by civil society in countries like Australia, France, Germany, and Brazil. The discussion of WhatsApp’s challenge has prompted to move the conversation along in India, where this ongoing case will be an important one that shapes the future of the right to privacy in the Indian legal landscape. Regardless of the outcome, WhatsApp, like other online service providers such as Google, Twitter, and YouTube, could also further its commitment to transparency by publicly disclosing any removal and/or decryption requests that it receives, for example by sharing copies with the Lumen Database.
Finally, all of this takes place against the backdrop that India has yet to pass a Data Protection Law, and the current proposed data protection bill carves far-reaching exceptions for the government to bypass them. An additional requirement that messaging applications decrypt, collect and provide to the government sensitive personal data on an ad hoc basis and without necessary judicial review is hard to reconcile with the right to privacy that has been theoretically guaranteed to Indian citizens.
About the Author: Shreya is an Employee Fellow at the Berkman Klein Center, where she works on the Lumen Project. She is a passionate digital rights activist and uses her research and writing to raise awareness about how digital rights are human rights. She tweets at @shreyatewari96!
